When creating an api key does run-as override the other settings?

Russell_Fulton · January 31, 2023, 12:28am

I created an API key and left the other settings apart from run-as as default (i.e. wide open) and set run as to a user with a role that has the desired priviliges.

Will this key have the restriction of the assigned role?

I would hope yes! : )

Yang_Wang · January 31, 2023, 4:14am

Did you create the API key with something like the following

POST _security/api_key
{
  "name": "k1",
  "role_descriptors": {
    "x": {
      "run_as": [
        "foo"
      ]
    }
  }
}

If yes, the API key will only have the privilege to run-as user foo and nothing else.

Russell_Fulton · February 1, 2023, 6:22pm

Thanks!

Ah! I should have been more explicit. I generated the key in kibana. So should cut everything except the run-as entry?

My reasoning was that if the key ran as a particular user then that would define the actual access.

Yang_Wang · February 2, 2023, 3:12am

That's correct

system · March 2, 2023, 3:12am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Parameter run_as for "role" Elasticsearch elastic-stack-security	2	1018	July 6, 2017
X-Pack run_as Elasticsearch	3	844	August 18, 2017
Config a role in roles.yml but cannot specify some privileges Elasticsearch elastic-stack-security	4	624	August 13, 2019
401 after updating API Key role descriptors Elasticsearch elastic-stack-security , language-clients	9	846	April 13, 2023
Super user elastic can't run as regular user Elasticsearch	2	132	March 8, 2024

When creating an api key does run-as override the other settings?

Related topics